Rounding up...

Exclusive offer: get 50% off this eBook here
Instant Java Password and Authentication Security [Instant]

Instant Java Password and Authentication Security [Instant] — Save 50%

A practical, hands-on guide to securing Java application passwords with hashing techniques with this book and ebook

$19.99    $10.00
by Fernando Mayoral | November 2013 | Open Source

This article by by Fernando Mayoral, the authors of the book Instant Java Password Authentication and Security, gives the high level overview to round up the complete authentication process

(For more resources related to this topic, see here.)

We have now successfully learned how to secure our users' passwords using hashes; however, we should take a look at the big picture, just in case.

The following figure shows what a very basic web application looks like:

Note the https transmission tag: HTTPS is a secure transfer protocol, which allows us to transport information in a secure way. When we transport sensitive data such as passwords in a Web Application, anyone who intercepts the connection can easily get the password in plain text, and our users' data would be compromised.

In order to avoid this, we should always use HTTPS when there's sensitive data involved. HTTPS is fairly easy to setup, you just need to buy an SSL certificate and configure it with your hosting provider. Configuration varies depending on the provider, but usually they provide an easy way to do it.

It is strongly suggested to use HTTPS for authentication, sign up, sign in, and other sensitive data processes. As a general rule, most (if not all) of the data exchange that requires the user to be logged in should be protected. Keep in mind that HTTPS comes at a cost, so try to avoid using HTTPS on static pages that have public information.

Always keep in mind that to protect the password, we need ensure secure transport (with HTTPS) and secure storage (with strong hashes) as well. Both are critical phases and we need to be very careful with them.

Now that our passwords and other sensitive data are being transferred in a secure way, we can get into the application workflow. Consider the following steps for an authentication process:

  1. The application receives an Authentication Request.
  2. The Web Layer takes care of it as it gets the parameters (username and password), and passes them to the Authentication Service.
  3. The Authentication Service calls the Database Access Layer to retrieve the user from the database.
  4. The Database Access Layer queries the database, gets the user, and returns it to the Authentication Service.
  5. The Authentication Service gets the stored hash from the users' data retrieved from the database, extracts the salt and the amount of iterations, and calls the Hashing Utility passing the password from the authentication request, the salt, and the iterations.
  6. The Hashing Utility generates the hash and returns it to the Authentication Service.
  7. The Authentication Service performs a constant-time comparison between the stored hash and the generated hash, and we inform the Web Layer if the user is authenticated or not.
  8. The Web Layer returns the corresponding view to the user depending on whether they are authenticated or not.

The following figure can help us understand how this works, please consider that flows 1, 2, 3, and 4 are bidirectional:

The Authentication Service and the Hashing Utility components are the ones we have been working with so far. We already know how to create hashes, this workflow is an example to understand when we should it.

Summary

In this article we learned how to create hashes and have now successfully learned how to secure our users' passwords using hashes. We have also learned that we need to ensure secure transport (with HTTPS) and secure storage (with strong hashes) as well.

Resources for Article:


Further resources on this subject:


Instant Java Password and Authentication Security [Instant] A practical, hands-on guide to securing Java application passwords with hashing techniques with this book and ebook
Published: November 2013
eBook Price: $19.99
See more
Select your format and quantity:

About the Author :


Fernando Mayoral

Fernando Mayoral is a young app developer and an advanced student in Systems Engineering, with experience in distributed systems, data mining, high performance algorithms, and web security. He is a web security enthusiast, always trying to learn as
much as possible.

Fernando has taken part in very interesting startups, personal projects, and full time jobs. He has worked on big projects for Cardif, a multinational insurance company that is part of the BNP Paribas group, and has collaborated indirectly on projects for Toyota and Pan American Energy.

Books From Packt


Java EE 5 Development using GlassFish Application Server
Java EE 5 Development using GlassFish Application Server

ModSecurity 2.5
ModSecurity 2.5

Open Source Identity Management Patterns and Practices Using OpenAM 10.x
Open Source Identity Management Patterns and Practices Using OpenAM 10.x

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services
Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services

GlassFish Security
GlassFish Security

Instant Citrix Security How-to [Instant]
Instant Citrix Security How-to [Instant]

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers

Mobile Security: How to Secure, Privatize, and Recover Your Devices
Mobile Security: How to Secure, Privatize, and Recover Your Devices


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software